Re: Wheezy update of ikiwiki?
On Sat, 07 May 2016 at 23:34:12 +0100, Simon McVittie wrote:
> On Sat, 07 May 2016 at 23:36:36 +0200, Markus Koschany wrote:
> > CVE-2016-4561 would be rather easy to fix in Wheezy but if you think the
> > ImageMagick mitigation is even more important, it is certainly possible
> > to fix that too.
>
> Yes, I do think that. The security team have given me permission to
> upload both changes to jessie-security, so that's in the pipeline now.
>
> I'll look into preparing a matching wheezy update tomorrow.
Please review and/or test:
<https://git.pseudorandom.co.uk/smcv/ikiwiki.git/shortlog/refs/heads/debian-wheezy-proposed>
<https://people.debian.org/~smcv/ikiwiki_3.20120629.2+deb7u1/>
(unsigned temporary package for testing, will be signed when ready)
Note that I haven't done any real-world testing on this version, because
I haven't run wheezy since around the time jessie was released, and my
production ikiwiki instances use the latest upstream release from
jessie-backports. t/img.t passes in autopkgtest and an SVG [[!img]]
in the documentation still works, though.
The ImageMagick mitigation involved some re-indentation, so the easiest
version to review is probably ignore-space-change.patch, which is the
result of git diff --ignore-space-change.
Some notes about the debdiff to pre-empt questions that people will
probably have:
* Some diffs appear twice. This is because debdiff dereferences
symbolic links and compares the content: NEWS and ChangeLog are symlinks
to equivalents in debian/.
* .gitignore and .gitattributes are in the debdiff because
old git-buildpackage excluded them, and new git-buildpackage
doesn't. They should have no practical effect either way, and I don't
intend to waste time redoing the package to exclude them.
* I backported the entire img plugin because the mitigation
doesn't merge cleanly onto a 4 year old version, and in my opinion,
either resolving the conflicts or arbitrarily reverting individual bug
fixes would have a higher risk of regressions than taking the whole
thing. It is now identical to what's in jessie-security, and almost
identical to what's in sid (an extra commit making img_allowed_formats
case-insensitive was accidentally left out of 3.20160506 and will be
in the next release to sid).
* The autopkgtest suite only includes img.t and not the complete
test suite from sid, because turning the build-time tests into
as-installed tests post-jessie involved a significant diffstat.
Regards,
S
Reply to: